+9 -1

hosts/alastor/configuration.nix

reviewed

··· 8 8 ../../modules/status 9 9 ../../modules/knot/sync.nix 10 10 ../../modules/bluesky-pds/default.nix 11 11 + ../../modules/atuin-server 11 12 inputs.tangled.nixosModules.knot 12 13 ]; 13 14 ··· 140 141 enable = true; 141 142 hostname = "alastor"; 142 143 domain = "alastor.hogwarts.channel"; 143 143 - services = [ "frps" "caddy" "tailscaled" "tangled-knot" ]; 144 144 + services = [ "frps" "caddy" "tailscaled" "tangled-knot" "atuin-server" ]; 144 145 cloudflareCredentialsFile = config.age.secrets.cloudflare-credentials.path; 145 146 }; 146 147 ··· 164 165 mailerEnvironmentFile = config.age.secrets.pds-mailer.path; 165 166 enableGatekeeper = false; # Disabled for now - was causing pdsadmin issues 166 167 enableAgeAssurance = true; 168 168 + }; 169 169 + 170 170 + # Atuin sync server 171 171 + atelier.services.atuin-server = { 172 172 + enable = true; 173 173 + hostname = "atuin.hogwarts.dev"; 174 174 + cloudflareCredentialsFile = config.age.secrets.cloudflare-credentials.path; 167 175 }; 168 176 169 177

+8

hosts/remus/default.nix

reviewed

··· 16 16 mode = "400"; 17 17 }; 18 18 19 19 + # Atuin encryption key for auto-login 20 20 + age.secrets.atuin-key = { 21 21 + file = ../../secrets/atuin-key.age; 22 22 + path = "/Users/jsp/.local/share/atuin/key"; 23 23 + owner = "jsp"; 24 24 + mode = "400"; 25 25 + }; 26 26 + 19 27 # Remus-specific homebrew casks 20 28 homebrew.casks = [ 21 29 # Add Mac apps specific to your laptop

+97

modules/atuin-server/default.nix

reviewed

··· 1 1 + # modules/atuin-server/default.nix 2 2 + # NixOS module for self-hosted Atuin sync server 3 3 + { lib, config, pkgs, ... }: 4 4 + let 5 5 + cfg = config.atelier.services.atuin-server; 6 6 + in 7 7 + { 8 8 + options.atelier.services.atuin-server = { 9 9 + enable = lib.mkEnableOption "Atuin sync server"; 10 10 + 11 11 + hostname = lib.mkOption { 12 12 + type = lib.types.str; 13 13 + example = "atuin.example.com"; 14 14 + description = "Hostname for the Atuin server."; 15 15 + }; 16 16 + 17 17 + port = lib.mkOption { 18 18 + type = lib.types.int; 19 19 + default = 8888; 20 20 + description = "Internal port for the Atuin server."; 21 21 + }; 22 22 + 23 23 + openRegistration = lib.mkOption { 24 24 + type = lib.types.bool; 25 25 + default = true; 26 26 + description = "Whether to allow new user registrations."; 27 27 + }; 28 28 + 29 29 + dataDir = lib.mkOption { 30 30 + type = lib.types.path; 31 31 + default = "/var/lib/atuin-server"; 32 32 + description = "Directory for Atuin server data (SQLite database)."; 33 33 + }; 34 34 + 35 35 + cloudflareCredentialsFile = lib.mkOption { 36 36 + type = lib.types.path; 37 37 + description = "Path to Cloudflare API credentials file for ACME."; 38 38 + }; 39 39 + }; 40 40 + 41 41 + config = lib.mkIf cfg.enable { 42 42 + # Systemd service for Atuin server 43 43 + systemd.services.atuin-server = { 44 44 + description = "Atuin Sync Server"; 45 45 + after = [ "network.target" ]; 46 46 + wantedBy = [ "multi-user.target" ]; 47 47 + 48 48 + environment = { 49 49 + ATUIN_HOST = "127.0.0.1"; 50 50 + ATUIN_PORT = toString cfg.port; 51 51 + ATUIN_OPEN_REGISTRATION = lib.boolToString cfg.openRegistration; 52 52 + ATUIN_DB_URI = "sqlite://${cfg.dataDir}/atuin.db"; 53 53 + }; 54 54 + 55 55 + serviceConfig = { 56 56 + Type = "simple"; 57 57 + ExecStart = "${pkgs.atuin}/bin/atuin server start"; 58 58 + Restart = "on-failure"; 59 59 + User = "atuin"; 60 60 + Group = "atuin"; 61 61 + WorkingDirectory = cfg.dataDir; 62 62 + 63 63 + # Hardening 64 64 + CapabilityBoundingSet = ""; 65 65 + NoNewPrivileges = true; 66 66 + ProtectSystem = "strict"; 67 67 + ProtectHome = true; 68 68 + PrivateTmp = true; 69 69 + PrivateDevices = true; 70 70 + ProtectKernelTunables = true; 71 71 + ProtectKernelModules = true; 72 72 + ProtectControlGroups = true; 73 73 + LockPersonality = true; 74 74 + ReadWritePaths = [ cfg.dataDir ]; 75 75 + }; 76 76 + }; 77 77 + 78 78 + # System user for Atuin 79 79 + users.users.atuin = { 80 80 + isSystemUser = true; 81 81 + group = "atuin"; 82 82 + home = cfg.dataDir; 83 83 + createHome = true; 84 84 + }; 85 85 + users.groups.atuin = { }; 86 86 + 87 87 + # Caddy reverse proxy 88 88 + services.caddy.virtualHosts.${cfg.hostname} = { 89 89 + extraConfig = '' 90 90 + tls { 91 91 + dns cloudflare {env.CLOUDFLARE_API_TOKEN} 92 92 + } 93 93 + reverse_proxy localhost:${toString cfg.port} 94 94 + ''; 95 95 + }; 96 96 + }; 97 97 + }

+2 -1

modules/shell.nix

reviewed

··· 389 389 settings = { 390 390 auto_sync = true; 391 391 sync_frequency = "5m"; 392 392 - sync_address = "https://api.atuin.sh"; 392 392 + sync_address = "https://atuin.hogwarts.dev"; 393 393 + key_path = "~/.local/share/atuin/key"; 393 394 search_mode = "fuzzy"; 394 395 update_check = false; 395 396 style = "auto";

+4

secrets/secrets.nix

reviewed

··· 46 46 # Format: GITHUB_TOKEN=ghp_xxxxx 47 47 "github-token.age".publicKeys = all; 48 48 49 49 + # Atuin encryption key for sync 50 50 + # Contains the raw encryption key for Atuin shell history sync 51 51 + "atuin-key.age".publicKeys = allUsers; 52 52 + 49 53 # Espanso secrets (sensitive text expansions) 50 54 # Contains: email addresses, EINs, personal addresses 51 55 "espanso-secrets.age".publicKeys = allUsers;